lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Oct 2016 14:34:39 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     AKASHI Takahiro <takahiro.akashi@...aro.org>,
        kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org
Subject: Re: [kernel-hardening] [RFC] module: add 'module_ronx=off' boot
 cmdline parameter to disable ro/nx module mappings

Hi,

On Tue, Oct 18, 2016 at 03:09:51PM +0900, AKASHI Takahiro wrote:
> As making CONFIG_DEBUG_RODATA mandatory is a good idea, so will be
> for CONFIG_SET_MODULE_RONX.

I completely agree, given most distros ship a large number of drivers as
modules...

> This patch adds a command line parameter, "module_ronx=," in order to
> make this configuration always on in the future, but still allowing for
> disabling read-only module mappings at boot time as "rodata=" does.
> 
> I have, however, some concerns on this prototype:
> (1) should we use a separate parameter like "module_ronx=," or
>     unify it with "rodata="?

I think this should be merged with "rodata=".

> (2) should we keep NX permission set even if module_ronx=off?

I think we should; for arm64 we set NX for kernel mappings even with
rodata=off, and I think we should be consistent.

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ